Over the course of this year, some of the most prominent firms and government organizations have had defenses breached and customer records stolen.
Looking behind the headlines, I have two main concerns – the first about the way organizations construct their defenses and the second about the way they react when disaster strikes. These organizations just don’t seem to have a plan in place.
Enterprises often take a blanket approach to information security. Some try to protect everything against every imaginable threat – sometimes at tremendous expense. Others spread whatever they can afford evenly, hoping – praying – this will keep attackers at bay.
The first step is to define what we call a risk appetite – the amount of risk you’re prepared to take in each area of your operations, from your interfaces with customers and suppliers to the ‘inner sanctums’ that hold your most valuable assets. That done, you can start to think not just about the defenses you need to put in place, but the processes you need to enforce the security policy you’ve set out.
When everything’s in place, you need to check that it works.
Penetration testing tools can root out vulnerabilities like lack of patching and the use of default passwords, but they are no match for human hackers. They won’t phone someone in your IT department, pretend to be a user who’s forgotten his or her password and ask for help in getting back online.
And while vendors will tell you their products are effective when run ‘out of the box,’ this isn’t always the case. The better you are at thinking like a hacker, the more likely you’ll be able to configure tools in ways that fully identify your defenses’ weaknesses. For these reasons, it’s best to employ ethical hackers – people who think and act like hackers, have access to hackers’ latest tools, but go no further than reporting problems they discover.
This isn’t the end, of course. Cybersecurity is like a game of chess. Every time your opponents make a move, it’s your job to block their path. But even grandmasters don’t win every time. Sometimes, an attack will get through.
If you are one of the many organizations that suffered a breach recently, you know this. You also know that the hours immediately after a breach are particularly critical. What you do then can affect not just to the costs you incur but the public relations fall out. It’s important to have a crisis management plan in place – one that makes it clear what everyone should do and, in particular, how communications with customers, the media and other stakeholders are to be handled.
Experience suggests honesty is the best policy. Attempts to minimize problems and downplay their impact have a habit of making things worse.
When you think about it, the recipe for staying out of the headlines can be quiet simple:
- Determine your risk appetite
- Set a baseline
- Build or modify to have a solid foundation
- Inspect what you expect
- Test to validate
- Continue to “rinse and repeat” to have a best-of-breed security program
By Jeff Schmidt, Global Portfolio Head of Business Continuity, Security & Governance Capability, BT